b"Department of Homeland Security\n   Of\xef\xac\x81ce of Inspector General\n\n\n                 Internal Controls in the \n\n            FEMA Disaster Acquisition Process \n\n\n\n\n\nOIG-09-32                                     February 2009\n\x0c                                                                     Office of Inspector General\n\n                                                                     U.S. Department of Homeland Security\n                                                                     Washington, DC 25028\n\n\n\n\n                                     February 19, 2009\n\n\n                                           Preface\n\n\nThe Department of Homeland Security (DHS) Office of Inspector General (OIG) was\nestablished by the Homeland Security Act of 2002 (Public Law 107-296) by amendment to\nthe Inspector General Act of 1978. This is one of a series of audit, inspection, and special\nreports prepared as part of our oversight responsibilities to promote economy, efficiency,\nand effectiveness within the department.\n\nThis report presents the results of the audit of the Federal Emergency Management\nAgency\xe2\x80\x99s internal controls governing disaster acquisitions. We contracted with the\nindependent public accounting firm of Urbach Kahn & Werlin LLP (UKW) to perform the\naudit. The contract required that UKW perform its audit according to generally accepted\ngovernment auditing standards. UKW identified six areas where internal controls could be\nstrengthened.\n\nUKW is responsible for the attached report dated January 28, 2009, and the conclusions\nexpressed in the report.\n\nThe recommendations herein have been developed to the best knowledge available to our\ncontractor and have been discussed in draft with those responsible for implementation. We\ntrust that this report will result in more effective, efficient, and economical operations. We\nexpress our appreciation to all who contributed to the preparation of this report.\n\n\n\n\n                                              Richard L. Skinner \n\n                                              Inspector General \n\n\x0c                                     January 28, 2009\n\n\n\nMr. Matt Jadacki\nDeputy Inspector General for Office of Emergency Management Oversight\nOffice of Inspector General\nDepartment of Homeland Security\n245 Murray Drive, Building 410\nWashington, DC 20528\n\n\nDear Mr. Jadacki:\n\n\nUrbach Kahn and Werlin performed an audit of internal controls over the Federal\nEmergency Management Agency disaster acquisition process. The audit objective was to\ndetermine the extent that internal controls over the disaster acquisition process have\nimproved since the 2005 Gulf Coast hurricanes and to identify weaknesses that remain.\nThis report presents the results of the audit and includes recommendations the agency can\nimplement to enhance the acquisition program\xe2\x80\x99s overall success. We performed the audit\nas stipulated in Task Order TPDFIGBPA070009A-0071.\n\nWe appreciate the opportunity to have conducted the audit. Should you have any\nquestions, or if we can be of any further assistance, please call me at (571) 227-9500.\n\n\n\n                                                         Sincerely,\n\n\n\n                                                         Roger Von Elm, CPA, CGFM\n                                                         Partner\n\x0cTable of Contents/Abbreviations \n\n\nExecutive Summary .........................................................................................................................1\n\n\nBackground ......................................................................................................................................2\n\n\nResults of Audit ...............................................................................................................................3\n\n   Improving FEMA Internal Controls ..........................................................................................3 \n\n   Recommendation .......................................................................................................................5\n\n   Management Comments and Contractor Analysis ....................................................................5 \n\n\n     Strengthening Contract Files Oversight.....................................................................................6 \n\n     Recommendations......................................................................................................................9\n\n     Management Comments and Contractor Analysis ....................................................................9 \n\n\n     Improving Performance Management of Contracting Officers .................................................9 \n\n     Recommendation .....................................................................................................................11\n\n     Management Comments and Contractor Analysis ..................................................................11 \n\n\n     Improving COTR Performance Feedback ...............................................................................11 \n\n     Recommendation .....................................................................................................................12\n\n     Management Comments and Contractor Analysis ..................................................................12 \n\n\n     Enhancing Oversight of Recommended Corrective Actions ...................................................13 \n\n     Recommendation .....................................................................................................................13\n\n     Management Comments and Contractor Analysis ..................................................................13 \n\n\n     Improving Contract Closeout Timeliness ................................................................................14 \n\n     Recommendations....................................................................................................................14\n\n     Management Comments and Contractor Analysis ..................................................................15 \n\n\n\nAppendices\n     Appendix A:            Purpose, Scope, and Methodology...................................................................16 \n\n     Appendix B:            Management Comments to the Draft Report ...................................................17 \n\n     Appendix C:            FEMA Acquisition Management Division Organization Chart ......................18 \n\n     Appendix D:            Report Distribution ..........................................................................................19 \n\n\x0cTable of Contents/Abbreviations \n\n\nAbbreviations\n  CO            Contracting Officer\n  COTR          Contracting Officer\xe2\x80\x99s Technical Representative\n  DHS           Department of Homeland Security\n  FAR           Federal Acquisition Regulation\n  FEMA          Federal Emergency Management Agency\n  FMFIA         Federal Managers\xe2\x80\x99 Financial Integrity Act of 1982\n  FY            Fiscal Year\n  GAO           Government Accountability Office\n  IMAT          Incident Management Assistance Team\n  OAM           FEMA Office of Acquisition Management\n  OMB           Office of Management and Budget\n  OIG           Office of Inspector General\n  UKW           Urbach Kahn & Werlin LLP\n\x0cOIG\n\nDepartment of Homeland Security\nOffice of Inspector General\n\nExecutive Summary\n                Urbach Kahn & Werlin LLP audited the Federal Emergency\n                Management Agency\xe2\x80\x99s (FEMA) acquisition process to determine the\n                extent to which internal controls have improved since the 2005 Gulf\n                Coast hurricanes and to identify weaknesses that remain. FEMA has\n                begun to establish a control environment over the disaster acquisition\n                process. However, additional safeguards to protect assets and prevent\n                and detect errors should be implemented. FEMA should:\n\n                   \xef\xbf\xbd\t Establish an internal control board and assess the adequacy of its\n                      internal controls annually;\n\n                   \xef\xbf\xbd\t Hold contracting officers accountable for their contract file\n                      maintenance responsibilities;\n\n                   \xef\xbf\xbd\t Implement departmental policy requiring that contracting\n                      officers report to contracting professionals for technical\n                      performance elements;\n\n                   \xef\xbf\xbd\t Hold contracting officer\xe2\x80\x99s technical representatives accountable\n                      for their delegated contract management tasks in performance\n                      evaluations;\n\n                   \xef\xbf\xbd\t Determine what audit findings and recommendations the Office\n                      of Acquisition Management is responsible for and ensure that\n                      corrective action is taken; and\n\n                   \xef\xbf\xbd\t Comply with Federal Acquisition Regulation on contract close\n                      out, so that unused funds can be spent to address future needs.\n\n                FEMA concurred with the recommendations and has begun to address\n                some of the weaknesses identified in the report.\n\n\n\n\n                    Internal Controls in the FEMA Disaster Acquisition Process\n\n                                         Page 1\n\x0cBackground\n                          Federal program managers are continually seeking ways to better\n                          achieve agencies\xe2\x80\x99 missions and program results. A key factor in\n                          helping achieve such outcomes is to implement appropriate internal\n                          controls. Internal controls comprise the plans, methods, and\n                          procedures that an agency uses to meet missions, goals, and\n                          objectives, and in doing so (1) support performance-based\n                          management and (2) help prevent fraud, waste, and abuse.\n\n\n                                                      Internal Controls\n                                    An integral component of an organization\xe2\x80\x99s\n                                    management that provides reasonable assurance that\n                                    the following objectives are being achieved:\n                                    \xef\xbf\xbd Effectiveness and efficiency of operations,\n                                    \xef\xbf\xbd Reliability of financial reporting, and\n                                    \xef\xbf\xbd Compliance with applicable laws and regulations.\n\n                                    Standards for Internal Control in the Federal Government\n                                    (GAO/AIMD-00-21.3.1, November 1999)\n\n\n\n                          Internal controls, along with monitoring controls to determine their\n                          effectiveness, help screen out fraud and are the most effective and\n                          efficient means to do so. Figure 1, below, illustrates the important\n                          role internal controls play in fraud prevention.\n\n                        Figure 1: Using Internal Controls to Prevent Fraud\n\n\n\n\n                        Source: UKW, from a U.S. Government Accountability Office figure1\n\n\n\n\n1\n    INDIVIDUAL DISASTER ASSISTANCE PROGRAMS: Framework for Fraud Prevention, Detection, and\nProsecution, (GAO-06-954T, July 2006).\n\n                             Internal Controls in the FEMA Disaster Acquisition Process\n\n                                                    Page 2\n\x0c                      As programs change and agencies strive to improve operational\n                      processes, they must continually assess and update internal controls as\n                      necessary to ensure effectiveness. For example, in response to lessons\n                      learned from the 2005 Gulf Coast hurricanes, FEMA has:\n\n                            \xef\xbf\xbd\t Restructured the Chief Procurement Office;\n\n                            \xef\xbf\xbd\t Created the Office of Acquisition Management (OAM);2\n\n                            \xef\xbf\xbd\t Increased the number of prepositioned contracts to support\n                               disaster response activities;\n\n                            \xef\xbf\xbd\t Established a contracting officer\xe2\x80\x99s technical representative\n                               (COTR) training program;\n\n                            \xef\xbf\xbd\t Developed a strategy map and scorecard to guide its internal\n                               operations; and\n\n                            \xef\xbf\xbd\t Identified initiatives for strengthening the internal controls of\n                               acquisition operations.\n\n\n                        However, much work remains to be done. FEMA has yet to\n                        implement hundreds of recommendations that would result in more\n                        effective, efficient, and economical operations.3 Government\n                        internal control standards,4 which define the minimum level of\n                        acceptable quality for internal controls, prescribe that internal control\n                        monitoring should ensure that audit findings are promptly resolved.\n\n\n\nResults of Audit\n        Improving FEMA Internal Controls\n                In fiscal year (FY) 2007, FEMA could not provide reasonable assurance of\n                the effectiveness of its internal controls. FEMA has yet to implement the\n                Federal Managers\xe2\x80\x99 Financial Integrity Act of 1982 (FMFIA) and a number\n                of key corrective actions. Additionally, FEMA does not yet have formal\n                processes in place to provide oversight of internal control improvements,\n\n2\n  In January 2009, OAM was renamed the Acquisition Management Division as part of a FEMA Management \n\nDirectorate realignment. See Appendix C for updated organization chart.\n\n3\n  Status Report on Open Recommendations to DHS Components (OIG-08-27, February 2008). \n\n4\n  Standards for Internal Control in the Federal Government (GAO/AIMD-00-21.3.1, November 1999). \n\n\n                           Internal Controls in the FEMA Disaster Acquisition Process\n\n                                                Page 3\n\x0cincluding a FEMA-wide accountability structure for monitoring ongoing\ninternal control activities.\n\nOffice of Management and Budget (OMB) Circular A-123 and the statute it\nimplements, FMFIA, are at the heart of federal requirements to improve\ninternal controls. The circular defines\nmanagement\xe2\x80\x99s responsibility for internal\ncontrols and provides guidance on              What is \xe2\x80\x9cTONE AT THE TOP?\xe2\x80\x9d\n                                               \xe2\x80\x9cTone at the Top\xe2\x80\x9d refers to the\nimproving the accountability and               ethical atmosphere created in the\neffectiveness of operations by                 workplace by the organization\xe2\x80\x99s\nestablishing, assessing, correcting, and       leadership. Employees pay close\nreporting on internal controls.                attention to the behavior and\nManagement is responsible for setting          actions of their bosses, and they\n                                               follow their lead. In short,\nthe \xe2\x80\x9cTone at the Top,\xe2\x80\x9d or the ethical          employees will do what they\natmosphere created in the workplace.           witness their bosses doing.\nBy not implementing FMFIA and not\ntaking timely corrective actions,              Association of Certified Fraud Examiners\n\nFEMA\xe2\x80\x99s management has not set the\n\xe2\x80\x9cTone at the Top\xe2\x80\x9d that is critical to strong internal controls.\n\nFMFIA requires managers to examine internal controls annually to\ndetermine how well they are performing, how they may be improved, and\nthe degree to which they help identify and address major risks for fraud,\nwaste, abuse, and mismanagement. FEMA has not assessed internal\ncontrols annually, nor has it established an internal control review board to\nformally oversee internal control improvements. OMB Circular A-123\nrequires agencies to integrate internal controls into their systems to direct\nand guide operations and encourages agencies to establish a senior\nmanagement council or internal control board to address management\naccountability and related issues within the broader context of agency\noperations.\n\nFEMA offices, including OAM, have not performed required internal\ncontrol reviews. The Acting Chief Financial Officer said, \xe2\x80\x9cWe are not as far\nalong as we need to be\xe2\x80\x9d with implementing Circular A-123. Office of the\nChief Financial Officer officials said that key staff vacancies and the\ncatastrophic nature of the 2005 hurricane season caused delays in\nimplementing the circular. FEMA has written a draft internal control board\ncharter, but as of September 2008, it had not approved the charter or\nestablished the board.\n\n\n\n\n            Internal Controls in the FEMA Disaster Acquisition Process\n\n                                 Page 4\n\x0cThe draft internal control board charter shows the Chief Financial Officer as\nthe council chair. To demonstrate management\xe2\x80\x99s commitment to support a\nhealthy internal control\nenvironment and to bring\nappropriate focus to the            Senior Management Council Chair\n                                    To ensure senior management\ncrosscutting issues affecting       involvement, many agencies have created\nnot only OAM, but also all of       their own senior management council,\nFEMA, the internal control          often chaired by the agency\xe2\x80\x99s lead\nboard should be chaired by the      management official, to address\nFEMA Administrator or               management accountability and related\n                                    issues in the broader context of agency\nDeputy Administrator. Having        operations.\nthe chair at a higher level\nwould demonstrate                   OMB Circular A-123\nmanagement\xe2\x80\x99s commitment to\na strong control system. It would also focus attention on acquisition process\nimprovement initiatives that contribute to the Administrator\xe2\x80\x99s inability to\nprovide a positive assurance statement on FEMA internal controls.\n\n\nRecommendation:\n       We recommend that the Administrator, Federal Emergency\n       Management Agency\n\n       Recommendation #1: Implement the requirements of the Federal\n       Managers\xe2\x80\x99 Financial Integrity Act at the office and branch level in\n       FEMA and establish an internal control board chaired by either the\n       FEMA Administrator or Deputy Administrator.\n\n\nManagement Comments and Contractor Analysis\n     FEMA concurred with the recommendation and said that it would\n     provide a detailed corrective action plan in its 90-day response. We\n     consider FEMA\xe2\x80\x99s planned action responsive to the recommendation.\n\n\n\n\n          Internal Controls in the FEMA Disaster Acquisition Process\n\n                               Page 5\n\x0cStrengthening Contract Files Oversight\n     The contract file is the record\n     of what the government                       Effective Internal Controls\n     bought, how they bought it,       Ensure all transactions and other significant\n     and how the contractor            events are authorized, approved, and clearly\n     performed. OAM does not           documented, and the documentation is readily\n                                       available for examination.\n     routinely monitor contracting\n     officers\xe2\x80\x99 (CO) compliance         Standards for Internal Control in the Federal Government\n     with contract file policies and (GAO-AIMD-00-21.3.1, November 1999)\n     procedures, organization and\n     maintenance regulations, and contract closeout requirements. FEMA could\n     not locate 27% of the contract files requested for review. Many contract\n     files are not organized and are missing key information.\n\n     Federal Acquisition\n     Regulation (FAR)                    Contract File Documentation Should \xe2\x80\x93\n     Subpart 4.8 contains the      \xef\xbf\xbd\t Provide a complete background to inform\n     requirements for                   decisions at each step of the acquisition process\n                                   \xef\xbf\xbd\t Support actions taken\n     establishing, maintaining,\n                                   \xef\xbf\xbd\t Provide information for reviews and\n     and disposing of contract          investigations\n     files. It requires that       \xef\xbf\xbd\t Furnish essential facts in the event of litigation\n     contract file                      or congressional inquiries.\n     documentation be\n                                   Federal Acquisition Regulation\n     sufficient to constitute a\n     complete history of the\n     acquisition. FAR Subparts 4.802 and 4.803 describe types of contract files\n     and examples of records that they should contain, the contract file\n     organization requirements, and maintenance and closeout guidance.\n     Contract files should contain items such as the following:\n\n         \xef\xbf\xbd\t Purchase request, acquisition planning, and other presolicitation\n            requirements;\n\n         \xef\xbf\xbd\t Justifications and approvals;\n\n         \xef\xbf\xbd\t Evidence of the availability of funds;\n\n         \xef\xbf\xbd\t Cost/price proposals;\n\n         \xef\xbf\xbd\t Basis for the acquisition and the award;\n\n\n\n\n                 Internal Controls in the FEMA Disaster Acquisition Process\n\n                                      Page 6\n\x0c         \xef\xbf\xbd\t Assignment of contract responsibilities, including payment \n\n            responsibilities;\n\n\n         \xef\xbf\xbd\t Independent government cost estimates; and\n\n         \xef\xbf\xbd\t CO\xe2\x80\x99s determination of the contractor\xe2\x80\x99s responsibility.\n\nCOs could not find many of the contract files we requested. Figure 2 shows\nthat COs could not locate 32 of the 120 contract files we requested (27 %).\nHeadquarters\xe2\x80\x99 COs could not find 16 of 24 files (67%). Regional and\ndisaster field office COs could not find 16 of 96 files (17%). In some\ninstances, COs did not provide files until months after they were requested,\nor COs provided files that they created to respond to our request.\n\nFigure 2: UKW Contract Files Requested and Received from FEMA\n\n\n                              140\n   Number of Contract Files\n\n\n\n\n                              120\n                              100\n                                                                                                 Files requested\n                              80\n                                                                                                 Files received\n                              60\n                                                                                                 Files not received\n                              40\n                              20\n                               0\n                                     Headquarters           Field              Total\n\n\nSource: UKW\n\n\nOAM did not have a standardized approach to documentation and file\nmaintenance. COs had access to acquisition file checklists designed for\nvarious contract types and situations. These checklists appeared to be in line\nwith FAR requirements and showed what items to include in the contract\nfile. However, COs were not required to use the checklists, and we did not\nfind them in most of the files we reviewed. Basic documents were missing\nfrom the files, and many existing documents did not contain authorizing\nsignatures. The missing or unsigned documents included contracts, COTR\ndesignation letters, FEMA Form 40-1 \xe2\x80\x9cRequisition and Commitment for\nServices and Supplies,\xe2\x80\x9d and FEMA Form 60-1 \xe2\x80\x9cRequisition for Supplies,\nEquipment and/or Services.\xe2\x80\x9d\n\nSupervisors did not hold COs accountable for maintaining complete,\norganized files, and OAM did not monitor file contents to ensure that they\nwere complete and organized. The condition of contract files appeared to\nrelate directly to the responsible CO\xe2\x80\x99s diligence in file maintenance.\n\n\n                                    Internal Controls in the FEMA Disaster Acquisition Process\n\n                                                         Page 7\n\x0cAt one office, the CO was adamant about the files leaving \xe2\x80\x9ca footprint\xe2\x80\x9d so\nthat anyone could pick up a contract file and know the history of the\ncontract. This CO used the FEMA acquisition file checklist (FEMA\nForm 40-13) for every file created in the region and in the disaster response\nfield office the CO supported. However, the CO and other FEMA officials\ntold us the checklist had been rescinded from FEMA procedures.\n\nAt OAM headquarters, COs found 8 of 24 contract files (33%) we\nrequested. The 8 contract files were not consistent in content or structure.\nCOs included an acquisition file checklist in only two files. Documentation\nwas missing from most of the headquarters contract files.\n\nContracting staff turnover contributed to and exacerbated file maintenance\nissues. Frequently, contract files were transferred as a result of personnel\nchanges and if the file was not in order at this point, it was difficult if not\nimpossible for the newly assigned CO to put the file in order.\n\nWhen contract files are disorganized and incomplete, particularly when COs\nchange, the incoming CO has no way of knowing what has been done up to\nthe point when the file was passed on. Also, not monitoring a CO\xe2\x80\x99s\nadherence to contract file organization and maintenance requirements\nexposes FEMA to fraud, waste, and abuse. It is difficult, if not impossible,\nto establish what the contract was for, if appropriate contracting competition\nrules were followed, if the government received a fair price, and if the goods\nor services were properly delivered and paid for.\n\nIn September\n2008, the OAM                Recent FEMA Standard Operating Procedures\nDirector issued       \xef\xbf\xbd\t \xe2\x80\x9cLabeling and Organizing Official Contract File Folders\xe2\x80\x9d\ntwo standard          \xef\xbf\xbd\t \xe2\x80\x9cTransfer of Contract Files from the Joint Field Office to\noperating                  the Appropriate Regional Office\xe2\x80\x9d\nprocedures that\n                      FEMA Office of Acquisition Management\naddress aspects\nof the contract files management problems. The procedures require FEMA\nCOs and contract specialists to create and maintain contract file folders as\nrequired by the FAR, and to retain files in a central file location during\nperiods of inactivity and when completed. The procedures require COs at\ndisaster field offices to transfer files, which include a complete acquisition\nhistory, prior to leaving the field office.\n\nBoth procedures include checklists that reference FAR requirements and\nrequire contracting staff to identify specific document locations. The\nchecklists could serve as a mechanism to hold contracting staff accountable\nfor their file management responsibilities. With modification, the\nprocedures for transferring files from disaster field offices could be\n\n           Internal Controls in the FEMA Disaster Acquisition Process\n\n                                Page 8\n\x0c     expanded to include all instances when a contract file is transferred from\n     one CO to another. For additional information on acquisition policies and\n     procedures and acquisition workforce issues, see Challenges Facing\n     FEMA\xe2\x80\x99s Acquisition Workforce, OIG-09-11, November 2008.\n\n\n     Recommendations:\n            We recommend that the Director, Office of Acquisition\n            Management:\n\n            Recommendation #2: Require that all files transferred from one\n            contracting officer to another contracting officer meet criteria\n            consistent with policy included in the standard operating procedure\n            on joint field office file transfer.\n\n            Recommendation #3: Require supervisors to monitor contract file\n            maintenance and hold contracting officers and contracting specialists\n            accountable by including, in the annual performance evaluation\n            process, an assessment of their contract file maintenance activities.\n\n\n     Management Comments and Contractor Analysis\n            FEMA concurred with the recommendations and said that it would provide\n            a detailed corrective action plan in its 90-day response. We consider\n            FEMA\xe2\x80\x99s planned action responsive to the recommendations.\n\n\nImproving Performance Management of Contracting Officers\n     COs who work in regions or in disaster\n     operations field offices commonly                      GS-1102 Rating Official\n     report to and receive performance                The Head of Contracting Activity\n     appraisals from supervisors who are              shall ensure that all GS-1102s in\n     not certified contracting professionals.         their organizational element have a\n     This is contrary to DHS policy, and              certified GS-1102 contracting\n                                                      professional designated as the rating\n     because the rating official is frequently        official of record for GS-1102\n     a manager reporting to superiors who             technical performance factors.\n     have program delivery responsibilities,\n     it creates a potential conflict-of\xc2\xad              DHS Management Directive # 0781.1\n\n     interest situation for the CO.\n\n\n\n\n                Internal Controls in the FEMA Disaster Acquisition Process\n\n                                     Page 9\n\x0cInternal control standards indicate that key duties and responsibilities need\nto be divided or segregated among different people to reduce the risk of\nerror or fraud, and that transactions should be authorized and executed only\nby persons acting within the scope of their authority. DHS MD 0781.1,\nContracting Professional\n(GS-1102) Career\nInformation, requires that                            Conflict of Interest\n                                   Any relationship that is or appears to be not in\ncertified contracting              the best interest of the organization\xe2\x80\xa6a conflict\nprofessionals evaluate the         of interest would prejudice an individual's\ntechnical performance of all       ability to perform his or her duties and\ncontracting professionals.         responsibilities objectively.\nFEMA has not consistently          Institute of Internal Auditors\nimplemented MD 0781.1\nrequirements.\n\nOAM officials said that they provide technical assistance and guidance to\nregional and disaster response field office contracting staff, but that the\nCO\xe2\x80\x99s supervisor, usually a Finance/Administration Section manager,\nevaluates the CO\xe2\x80\x99s performance for all performance factors. In essence, the\nCO\xe2\x80\x99s performance evaluation is provided by the \xe2\x80\x9ccustomer,\xe2\x80\x9d which may\npotentially affect the CO\xe2\x80\x99s independence.\n\nIn 2007, the Director of OAM discussed changing regional CO reporting\nresponsibilities with regional managers. Regional managers opposed the\nchange.\n\nOne regional CO reporting to regional program managers said that although\nhe had never been forced to take actions that he did not feel comfortable\nwith, sometimes the bosses did not like the decisions the CO had to make\nand did not like it when he called OAM for technical assistance.\n\nDuring FY 2007, FEMA began to assemble new national and regional\nresponse teams, called Incident Management Assistance Teams (IMATs), to\nensure FEMA\xe2\x80\x99s capability to immediately deploy qualified and experienced\npersonnel and capabilities in support of any disaster incident response.\nFEMA\xe2\x80\x99s IMAT concept of operations places the teams in the FEMA\nDisaster Operations Directorate. Some teams will include a full-time CO\nwith a reporting chain similar to regional and disaster field office COs.\n\nCOs are responsible for ensuring that acquisitions take place according to\nfederal contracting rules. Having a CO\xe2\x80\x99s technical performance and career\nadvancement controlled by the customer or a supervisor who is not a\ncertified contracting professional increases the risk of fraud, waste, abuse,\nand mismanagement in the FEMA disaster acquisition process.\n\n\n           Internal Controls in the FEMA Disaster Acquisition Process\n\n                               Page 10\n\x0c     Recommendation:\n             We recommend that the Director, Office of Acquisition\n             Management:\n\n             Recommendation #4: Implement policy in compliance with\n             Department of Homeland Security Management Directive #0781.1\n             and require that all contracting officers have a certified contracting\n             professional as their rating official of record for technical\n             performance factors. Contracting officers should report to\n             headquarters Office of Acquisition Management.\n\n\n     Management Comments and Contractor Analysis\n             FEMA concurred with the recommendation and said that it would provide\n             a detailed corrective action plan in its 90-day response. We consider\n             FEMA\xe2\x80\x99s planned action responsive to the recommendation.\n\n\nImproving COTR Performance Feedback\n     FEMA COTRs serve an important,\n     clearly defined role in the               Common COTR Responsibilities\n     acquisition process. In November      \xef\xbf\xbd\t Monitor contractor\xe2\x80\x99s performance\n     2007, the OAM Director issued         \xef\xbf\xbd\t Maintain a file documenting COTR\n     policy that established COTR              actions\n     responsibilities and requirements.    \xef\xbf\xbd\t Communicate with contractor regarding\n     According to the policy, the              performance\n                                           \xef\xbf\xbd\t Alert CO to contractor deficiencies\n     program office recommends a           \xef\xbf\xbd\t Review and approve invoices\n     COTR for the contract, and the CO\n     appoints the COTR and establishes     FEMA Office of Acquisition Management Policy\n     COTR expectations in writing.\n     The appointment letter lists the COTR\xe2\x80\x99s duties and responsibilities.\n\n     COTRs perform their technical acquisition functions under the CO\xe2\x80\x99s\n     direction, but the FEMA performance management system does not hold\n     them accountable for their COTR duties. COTRs frequently work for the\n     program office that requested the contract and report to a program office\n     supervisor. Often, the COTR function is a collateral duty, and the CO does\n     not rate the COTR\xe2\x80\x99s contract management performance.\n\n\n\n\n                Internal Controls in the FEMA Disaster Acquisition Process\n\n                                    Page 11\n\x0cHuman capital permeates virtually every effort within an agency, including\nsuccessfully acquiring goods and services, and executing and monitoring\ncontracts. Human capital policies and practices, a critical factor in the\ncontrol environment, should include a performance management system that\nprovides candid and constructive feedback to help people understand their\ncontributions and help the organization achieve its goals.\n\nWith no formal process in place for the CO to provide performance\nfeedback to the COTR\xe2\x80\x99s supervisor, the COTR\xe2\x80\x99s evaluation may not reflect\ncontract technical oversight responsibilities. The COTR is not ensured\ncredit for contract oversight accomplishments or counseling to address\nperformance deficiencies. This could reduce the effectiveness and\nconsistency of both the contracting and the evaluation process. OAM said\nthat DHS has considered creating a policy to require the COTR\xe2\x80\x99s supervisor\nto include the CO\xe2\x80\x99s performance feedback in the COTR\xe2\x80\x99s annual appraisal.\n\n\nRecommendation:\n       We recommend that the Administrator, Federal Emergency\n       Management Agency:\n\n       Recommendation #5: Revise the performance management process\n       so that the supervisor of record includes the contracting officer\xe2\x80\x99s\n       written assessment of the contracting officer\xe2\x80\x99s technical\n       representative\xe2\x80\x99s contract management performance in the annual\n       performance appraisal. The assessment should address factors listed\n       in the designation letter.\n\n\nManagement Comments and Contractor Analysis\n       FEMA concurred with the recommendation and said it would provide a\n       detailed corrective action plan in its 90-day response. We consider\n       FEMA\xe2\x80\x99s planned action responsive to the recommendation.\n\n\n\n\n          Internal Controls in the FEMA Disaster Acquisition Process\n\n                              Page 12\n\x0cEnhancing Oversight of Recommended Corrective Actions\n     FEMA and OAM do not\n     effectively track audit\n                                             Tracking Audit Recommendations\n     findings and                        Audit follow-up is an integral part of good\n     recommendations, and do not         management, and is a shared responsibility of\n     have an accurate report on          agency management officials and auditors.\n     the status of corrective\n                                         OMB Circular A-50 Revised\n     actions relative to those audit\n     recommendations. These weaknesses exist because FEMA does not place\n     sufficient emphasis on effectively tracking audit results. Consequently,\n     there is increased risk of inefficient and ineffective operations, and\n     management is not able to provide assurance that issues reported in audits\n     are addressed.\n\n     FEMA maintains corrective action plans in separate audit files, but does not\n     have an effective automated tracking system to monitor its response to\n     GAO, OIG, and other internal studies and evaluations. FEMA uses a\n     \xe2\x80\x9cspreadsheet approach,\xe2\x80\x9d which relies on manual input as new audit\n     recommendations are issued or changes in the status of corrective actions\n     occur.\n\n     FEMA is developing an automated tracking system. We reviewed\n     information from the new system on OAM audit recommendations and\n     found it to be incomplete and unreliable. OAM does not have a current or\n     accurate list of audit recommendations for which it is responsible. Without\n     a current, accurate inventory of open recommendations, OAM may not take\n     recommended corrective actions to improve the acquisition process.\n\n\n     Recommendation:\n             We recommend that the Director, Office of Acquisition\n             Management:\n\n             Recommendation #6: Determine what audit findings and\n             recommendations the Office of Acquisition Management is\n             responsible for and ensure that corrective action is taken.\n\n\n     Management Comments and Contractor Analysis\n             FEMA concurred with the recommendation and said that it would provide\n             a detailed corrective action plan in its 90-day response. We consider\n             FEMA\xe2\x80\x99s planned action responsive to the recommendation.\n                Internal Controls in the FEMA Disaster Acquisition Process\n\n                                    Page 13\n\x0c        Improving Contract Closeout Timeliness\n                 As discussed in the preceding\n                 sections of this report, effective\n                                                              Effective Internal Controls\n                 internal controls help FEMA to      Help ensure that management\xe2\x80\x99s directives are\n                 better achieve mission and          carried out. Control activities should be\n                 program results, including          effective and efficient in accomplishing the\n                 compliance with applicable          agency\xe2\x80\x99s control objectives.\n                 laws and regulations. Effective Standards for Internal Control in the Federal\n                 internal controls would have        Government (GAO/AIMD-00-21.3.1, November 1999)\n                 prompted COs in FEMA\xe2\x80\x99s\n                 regional and disaster operations field offices to adhere to the FAR and\n                 FEMA guidance governing contract closeouts. These COs did not close out\n                 contracts within the timeframes prescribed under FAR Subpart 4.804-1 and\n                 the FEMA Disaster Contracting Desk Guide, resulting in unliquidated\n                 obligations5 of more than $5 billion that could be used for other needs.\n\n                 COs are required to start the contract closeout process when FEMA has\n                 received and paid for all the goods and services it purchased. However,\n                 OAM did not monitor contract closeouts or hold COs accountable. Further,\n                 missing and incomplete contract files make it difficult to close contracts in a\n                 timely manner.\n\n                 OAM officials agreed that the issue of closing contracts and deobligating\n                 unused funds was serious, and they have begun to address it. FEMA has\n                 hired a contractor to assist in closing contracts whose performance periods\n                 have ended. OAM officials told us that they have deobligated $76 million\n                 since the contractor began work in 2007. Although this is a sizeable\n                 amount, given over $5 billion in unliquidated obligations, much work\n                 remains.\n\n\n                 Recommendations:\n                          We recommend that the Director, Office of Acquisition\n                          Management:\n\n                          Recommendation #7: Require each contracting officer to close out\n                          contract files according to timeframes in the Federal Acquisition\n                          Regulation and FEMA policy.\n\n\n5\n An obligation occurs when FEMA signs a contract; an unliquidated obligation is the amount of a financial\nobligation not yet expended (Source: U.S. Department of Agriculture, Departmental Regulation 2230-001,\nReviews of Unliquidated Obligations, August 22, 2006).\n\n                             Internal Controls in the FEMA Disaster Acquisition Process\n\n                                                  Page 14\n\x0c     Recommendation #8: Accelerate closeout of eligible contracts so\n     that funds are more quickly made available for future use.\n\n\nManagement Comments and Contractor Analysis\n     FEMA concurred with the recommendations and said that it would provide\n     a detailed corrective action plan in its 90-day response. With regard to\n     recommendation #7, FEMA said that either the Management Directorate\xe2\x80\x99s\n     Acquisition Management Division personnel, or contractor support, will\n     close out contract files. With regard to recommendation #8, FEMA said\n     that the Acquisition Management Division is working with the Office of\n     the Chief Financial Officer to address the close-out of eligible contracts.\n     We consider FEMA\xe2\x80\x99s current and planned actions responsive to the\n     recommendations.\n\n\n\n\n        Internal Controls in the FEMA Disaster Acquisition Process\n\n                            Page 15\n\x0cAppendix A\nPurpose, Scope, and Methodology\n\n\n                   DHS OIG contracted with UKW to audit internal controls over the\n                   FEMA acquisition process. The audit objective was to determine\n                   the extent to which internal controls have improved since the 2005\n                   Gulf Coast hurricanes and to identify weaknesses that remain.\n\n                   We conducted this performance audit according to generally\n                   accepted government auditing standards (Government Auditing\n                   Standards, July 2007 revision). Those standards require that we\n                   plan and perform the audit to obtain sufficient, appropriate\n                   evidence to provide a reasonable basis for our findings and\n                   conclusions based on our audit objectives. We believe that the\n                   evidence obtained provides a reasonable basis for our findings and\n                   conclusions based on our audit objectives.\n\n                   The audit focused on acquisitions from October 2006 through\n                   July 2008. We reviewed FEMA and OAM records and a\n                   judgmental sample of contract files selected at headquarters and\n                   field offices. We performed work at FEMA headquarters in\n                   Washington, DC; at the Brentwood, Tennessee Joint Field Office;\n                   the Atlanta, Georgia and Kansas City, Missouri Regional Offices;\n                   and the New Orleans and Baton Rouge, Louisiana Transitional\n                   Recovery Offices. We held discussions with FEMA officials\n                   throughout the audit and discussed audit results with FEMA\n                   officials on November 5, 2008.\n\n                   To establish criteria for this audit, we researched U.S. laws and\n                   regulations; DHS directives; FEMA policies and guidance; and\n                   OMB, GAO, and Office of Federal Procurement Policy (OFPP)\n                   requirements and guidelines applicable to internal control and to\n                   acquisition activities. We reviewed assessments of the FEMA\n                   acquisition process prepared by FEMA contractors and prior\n                   reports and congressional testimony by FEMA, DHS OIG, and\n                   GAO to identify their findings and recommendations related to\n                   FEMA\xe2\x80\x99s acquisition process. We reviewed information, including\n                   contract file checklists, contained on the Virtual Acquisition\n                   Office, an acquisition knowledge management subscription service\n                   that is available to OAM staff.\n\n\n\n\n                     Internal Controls in the FEMA Disaster Acquisition Process\n\n                                         Page 16\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n\n                    Internal Controls in the FEMA Disaster Acquisition Process\n\n                                        Page 17\n\x0cAppendix C\nFEMA Acquisition Management Division Organization Chart\n\n\n\n\nSource: FEMA\n\n\n\n\n                    Internal Controls in the FEMA Disaster Acquisition Process\n\n                                        Page 18\n\x0cAppendix D\nReport Distribution\n\n                      Department of Homeland Security\n\n                      Secretary\n                      Deputy Secretary\n                      Chief of Staff\n                      Deputy Chief of Staff\n                      General Counsel\n                      Executive Secretary\n                      Director, GAO/OIG Liaison Office\n                      Assistant Secretary for Office of Policy\n                      Assistant Secretary for Office of Public Affairs\n                      Assistant Secretary for Office of Legislative Affairs\n                      FEMA Audit Liaison (Job Code DC7A01)\n\n                      Office of Management and Budget\n\n                      Chief, Homeland Security Branch\n                      DHS OIG Budget Examiner\n\n                      Congress\n\n                      Congressional Oversight and Appropriations Committees, as\n                      appropriate\n\n\n\n\n                        Internal Controls in the FEMA Disaster Acquisition Process\n\n                                            Page 19\n\x0cADDITIONAL INFORMATION AND COPIES\n\nTo obtain additional copies of this report, please call the Office of Inspector General (OIG) at (202) 254-4199,\nfax your request to (202) 254-4305, or visit the OIG web site at www.dhs.gov/oig.\n\n\nOIG HOTLINE\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal or noncriminal\nmisconduct relative to department programs or operations:\n\n\xe2\x80\xa2 Call our Hotline at 1-800-323-8603;\n\n\xe2\x80\xa2 Fax the complaint directly to us at (202) 254-4292;\n\n\xe2\x80\xa2 Email us at DHSOIGHOTLINE@dhs.gov; or\n\n\xe2\x80\xa2 Write to us at:\n       DHS Office of Inspector General/MAIL STOP 2600,\n       Attention: Office of Investigations - Hotline,\n       245 Murray Drive, SW, Building 410,\n       Washington, DC 20528.\n\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c"